Fling.com breach: Passwords and sexual preferences of 40 million users up for sale on dark web

Millions of credentials from Fling.com has surfaced for sale on the dark web marketplace The Real Deal iStock

Tens of millions of credentials reportedly stolen from an adult dating website called Fling.com have been put up for sale on the dark web. Currently listed on an underground marketplace called The Real Deal the information reportedly contains email addresses, plain text passwords, usernames, IP addresses and date of birth records. Additionally, the compromised data includes sexual preferences, whether the account was a free or paid version and the gender of the user.

The hacker responsible for selling the credentials, using the pseudonym 'peace_of_mind' claims the data dump contains over 40 million records. It is currently on sale for 0.8874 bitcoins which is equivalent to approximately £280 based on the exchange rate at the time of writing.

Fling.com is an adult-orientated website and social network in which members can create profiles, send personal messages and share explicit pictures. Under its terms of service, the website notes: "We cannot ensure the security or privacy of information you provide through the internet, email, messaging or otherwise [...] you release us from any and all liability in connection with the breach of the security of such information."

According to Vice Motherboard, the individual who manages the domain for the website has confirmed the legitimacy of the leaked data but claimed it was old information. "We take internet security very seriously," the administrator said. "Our site is free to join and we do not store any credit card information. We've investigated the sample data and it is from a breach that happened in 2011."

Troy Hunt, a security researcher who runs the breach notification website 'HaveIBeenPwned', also analysed the Fling.com dataset and contacted a number of people included in the trove of usernames.

A screenshot from The Real Deal marketplaceScreenshot/IBTimes UK

Hunt told IBTimes UK: "It's just another example of an online asset you'd expect to remain secure being compromised. The plain text passwords make it particularly worrying as they had absolutely no protection in the database." While one of the victims confirmed their leaked password was legitimate, another said they had never signed up for the dating website at all, Motherboard reported.

The leak is the latest in a long line of dating websites being targeted by hackers and follows similar incidents at Ashley Madison, Mate1, BeautifulPeople and Adult Friend Finder. In each of these cases, hundreds of thousands – if not millions – of sensitive records were compromised. While in the case of Ashley Madison alone, the release of information had severe consequences – including blackmail attempts, high-profile resignations and even suicide.

Despite claims the data is five years old, any users of Fling.com are now advised to change their passwords in order to stay safe from future account exploitation.